This document provides information for a bug bounty presentation. It introduces the speaker, Sagar Parmar, and his background in security. It then outlines topics to cover, including what a bug bounty is, how to get started as a new bug bounty hunter, tips for progressing, and example vulnerabilities to target like XSS, SQLi, SSRF, LFI, and RCE. Details are given on finding and reporting vulnerabilities with the goal of helping others learn and advance in bug bounty hunting.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
This is a bug bounty hunter presentation given at Nullcon 2016 by Bugcrowd's Faraz Khan.
Learn more about Bugcrowd here: https://bugcrowd.com/join-the-crowd
#CSA #Dehradun
XSS Video POC in Yahoo :
https://www.youtube.com/watch?v=I2WKUJn8P7I
Tapjacking bug poc in Android 6.0 Video :
https://www.youtube.com/watch?v=8BcP3Q4ZWXQ
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
Frans Rosén has reported hundreds of security issues using his big white hat since 2012. He have recieved the biggest bounty ever paid on HackerOne, and is one of the highest ranked bug bounty researchers of all time. He's been bug bounty hunting with an iPhone in Thailand, in a penthouse suite in Las Vegas and without even being present using automation. He'll share his stories about how to act when a company's CISO is screaming "SH******T F*CK" in a phone call 02:30 a Friday night, what to do when companies are sending him money without any reason and why Doctors without Borders are trying to hunt him down.
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Presented at OWASP AppSecUSA 2011
It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good.
This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market?
In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Recon and Bug Bounties - What a great love story!Abhijeth D
n this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices” but are definitely “good practices” and “nice to know” things while doing Penetration Testing.
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn:
- How to know and research your audience
- What are the atomic materials of a good bug report?
- Good, Bad, and Ugly examples of bug reports (taxi driver anyone?)
- What are some helpful resources
- And more!!
All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
IDA Vulnerabilities and Bug Bounty by Masaaki ChidaCODE BLUE
IDA Pro is an advanced disassembler software and often used in vulnerability research and malware analysis. IDA Pro is used to analyse software behavior in detail, if there was a vulnerability and the user is attacked not only can it have impact in a social sense but also impact legal proceedings. In this presentation I will discuss the vulnerabilities found and attacks leveraging the vulnerabilities and Hex-rays's remediation process and dialogue I had with them.
http://codeblue.jp/en-speaker.html#MasaakiChida
XSS is much more than just <script>alert(1)</script>. Thousands of unique vectors can be built and more complex payloads to evade filters and WAFs. In these slides, cool techniques to bypass them are described, from HTML to javascript. See also http://brutelogic.com.br/blog
Presented at OWASP AppSecUSA 2011
It's all about scale; how can an organization possibly keep up with a growing number of web applications, features, and supported capabilities with a limited security team? One option that has provided successful results for several companies is a bug bounty program. These programs successfully engage the world community and bring many eyes towards the common good.
This talk will discuss the benefits and risks of a bounty program for web applications. What types of organizations consider starting a bounty? How would an organization start such a program and what should they expect? Is the return worth the effort? How does such a program compete with the black market?
In addition to these topics, we will also discuss the progress, metrics and lessons learned from the Mozilla web application bounty that was launched in December 2010.
Introduction of Ethical Hacking, Life cycle of Hacking, Introduction of Penetration testing, Steps in Penetration Testing, Foot printing Module, Scanning Module, Live Demos on Finding Vulnerabilities a) Bypass Authentication b) Sql Injection c) Cross site Scripting d) File upload Vulnerability (Web Server Hacking) Countermeasures of Securing Web applications
Recon and Bug Bounties - What a great love story!Abhijeth D
n this talk, the speaker will demonstrate few effective techniques using which researchers/pen testers can do better information gathering. The speaker would also share many stories which allowed him to earn some bounties using these recon techniques. This techniques might also be useful to red teams/incident response teams to identify rogue devices in their organisation which are often missed out during normal penetration testing. These might not be “best practices” but are definitely “good practices” and “nice to know” things while doing Penetration Testing.
Bounty Craft: Bug bounty reports how do they work, @sushihack presents at Nu...HackerOne
Hackerone Chief Bounty Officer, Adam Bacchus, a fire breathing, mohawk wearing stud presented his "Bug Bounty Reports - How Do They Work?" at Nullcon 2017 in Goa, India for the Bounty Craft tracks. In this presentation you will learn:
- How to know and research your audience
- What are the atomic materials of a good bug report?
- Good, Bad, and Ugly examples of bug reports (taxi driver anyone?)
- What are some helpful resources
- And more!!
All these juicy details will help you level-up your reporting game and get you MORE bounties, invitation to BETTER programs, and INSANE exposure and love from fellow hackers.
Introduction to Web Application Penetration TestingAnurag Srivastava
Web Application Pentesting
* Process to check and penetrate the security of a web application or a website
* process involves an active analysis of the application for any weaknesses, technical flaws, or vulnerabilities
* Any security issues that are found will be presented to the system owner, together with an assessment of the impact, a proposal for mitigation or a technical solution.
Who is a hacker? What is a bug bounty program? How do you get started with bug bounties? How much should I pay hackers who find bugs in my website and apps?
All these questions and more are answered in our bug bounty basics booklet. Learn more about the market-leading bug bounty platform and how it is the ideal choice for continuous security testing at https://www.hackerone.com/product/bounty
Silent web app testing by example - BerlinSides 2011Abraham Aranguren
A practical OWASP Testing Guide walk-through focused on passive and semi passive web app testing techniques
NOTE: Use the "Download" option at the top to see the presentation as a PDF properly
Google Hacking Lab ClassNameDate This is an introducti.docxwhittemorelucilla
Google Hacking Lab
Class
Name:
Date:
This is an introduction to using search engines for penetration testing. "Google Hacking" is a valuable skill for penetration testers. Google's automated search algorithms constantly visit every IP in the world and collect information about the services that IP provides and indexes the content the IP makes available. Google hacking could be called an art. The information gathered is only limited to your ingenuity when crafting your queries. Keep in mind, the principles behind Google hacking apply to all search engines.
In this lab you will enumerate sub-domains, identify new machines, scour web servers for files that reside on directories but have been forgotten, learn about the underlying architecture of web servers, locate logon portals, and use targeted queries to locate specific file types. When clicking on links used the cached version so you visit Google's cache and not the website itself.
1. Open a browser and navigate to: google.com
2. We're going to search exclusively for Wilmu domains.
2a. Type: site:wilmu.edu
3. We received too many www.wilmu.edu returns for this search to be of use. Let's subtract some information from our query.
3a. Type: site:wilmu.edu -site:www.wilmu.edu -site:libguides.wilmu.edu
3b. What new domains did you identify?
Answer:
4. Now let's see what systems provide directory listings. Directory listings are important because there is the potential you will be able to see the entire website's file structure. Also, many webmasters forget to remove content they no longer make visible with hyperlinks. This content is valuable for various information gathering and exploitation reasons because it could be old pictures, databases, password files, etc. (Be sure to click on the cached links and not the actual links.)
4a. Type: site:umass.edu intitle:index.of
5. Another search we might do is for error or warning messages that give us an indication of the underlying infrastructure and application. Depending on the error or warning we will be able to determine if the web server is running Apache, IIS, SharePoint, WordPress, etc. To do this we would use the "or" operator. A query with the or operator for warnings or errors would look something like this: intitle:"apache status" "apache server status for" | "welcome to windows small business server 2003"
6. Let's look for applications and databases we may login to. Many organizations use Federated rights, meaning once you're logged in you may login to other systems. This is called "single sign-on" or SSO.
6a. Type: site:wilmu.edu logon | login
6b. What Portals did you find?
Answer:
7. We found some interesting portals but those are for students. Where else might a penetration tester look?
7a. Type: site:wilmu.edu faculty | staff | admin | administrator + login | logon
7b. What results did you find?
Answer:
8. We've been looking for interesting information about sub-domains, posted on websites, log ...
OWASP Top 10 Proactive Controls 2016 - PHP Québec August 2017Philippe Gamache
OWASP Top 10 Proactive Controls 2016
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
OWASP Top 10 Proactive Controls 2016 - NorthEast PHP 2017 Philippe Gamache
Insecure software is undermining our financial, healthcare, defense, energy, and other critical infrastructure worldwide. As our digital, global infrastructure gets increasingly complex and interconnected, the difficulty of achieving application security increases exponentially. We can no longer afford to tolerate relatively simple security problems.
The goal of the OWASP Top 10 Proactive Controls project is to raise awareness about application security by describing the most important areas of concern that software developers must be aware of. We encourage you to use the OWASP Proactive Controls to get your developers started with application security. Developers can learn from the mistakes of other organizations.
Slides from a talk given at DevSecCon on 206h October 2016 http://www.devseccon.com/blog/session/automating-owasp-zap/
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode.
This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters.
Fatcat Automatic Web SQL Injector by Sandeep KambleClubHack
What is FatCat Sql injector: This is an automatic SQL Injection tool called as FatCat.
Fatcat Purpose? : For testing your web application and exploit your application into more deeper.
FatCat Support:
1)Mysql 5.0
FatCat Features?
Union Based Sql Injection
Error Based Sql Injection
MOD Security Bypass (WAF)
Top Ten Proactive Web Security Controls v5Jim Manico
It is not easy to build a secure, low-risk or risk-managed web application. Firewalls, “policy” and other traditional information security measures serve as either an incomplete or useless measure in the pursuit of web application security.
As software developers author the code that makes up a web application, they need to do so in a secure manner. All tiers of a web application, the user interface, the business logic, the controller, the database code and more – all need to be developed with security in mind. This can be a very difficult task and developers are often set up for failure. Most developers did not learn about secure coding or crypto in school. The languages and frameworks that developers use to build web applications are often lacking critical core controls or are insecure by default in some way. There may be inherent flaws in requirements and designs. It is also very rare when organizations provide developers with prescriptive requirements that guide them down the path of secure software. When it comes to web security, developers are often set up to lose the security game.
This document was written by developers for developers, to assist those new to secure development. It aims to guide developers and other software development professionals down the path of secure web application software development.
This document is neither scientific nor complete. In fact it is a bit misguided. There are more than 10 issues that developers need to be aware of. Some of these “top ten” controls will be very specific, others will be general categories. Some of these items are technical, others are process based. Some may argue that this document includes items that are not even controls at all. All of these concerns are fair. Again, this is an awareness document meant for those new to secure software development. It is a start, not an end.
Security Testing with OWASP ZAP in CI/CD - Simon Bennetts - Codemotion Amster...Codemotion
The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free and open source security tools. This talk by the ZAP project lead will focus on embedding ZAP in continuous integration / delivery pipelines in order to automate security tests. Simon will cover the range of integration options available and explain how ZAP is being integrated into the Mozilla Cloud Services CD pipeline. He will also explain and demonstrate how to drive the ZAP API, which gives complete control over the ZAP daemon.
Using recycled concrete aggregates (RCA) for pavements is crucial to achieving sustainability. Implementing RCA for new pavement can minimize carbon footprint, conserve natural resources, reduce harmful emissions, and lower life cycle costs. Compared to natural aggregate (NA), RCA pavement has fewer comprehensive studies and sustainability assessments.
Understanding Inductive Bias in Machine LearningSUTEJAS
This presentation explores the concept of inductive bias in machine learning. It explains how algorithms come with built-in assumptions and preferences that guide the learning process. You'll learn about the different types of inductive bias and how they can impact the performance and generalizability of machine learning models.
The presentation also covers the positive and negative aspects of inductive bias, along with strategies for mitigating potential drawbacks. We'll explore examples of how bias manifests in algorithms like neural networks and decision trees.
By understanding inductive bias, you can gain valuable insights into how machine learning models work and make informed decisions when building and deploying them.
6th International Conference on Machine Learning & Applications (CMLA 2024)ClaraZara1
6th International Conference on Machine Learning & Applications (CMLA 2024) will provide an excellent international forum for sharing knowledge and results in theory, methodology and applications of on Machine Learning & Applications.
Forklift Classes Overview by Intella PartsIntella Parts
Discover the different forklift classes and their specific applications. Learn how to choose the right forklift for your needs to ensure safety, efficiency, and compliance in your operations.
For more technical information, visit our website https://intellaparts.com
Literature Review Basics and Understanding Reference Management.pptxDr Ramhari Poudyal
Three-day training on academic research focuses on analytical tools at United Technical College, supported by the University Grant Commission, Nepal. 24-26 May 2024
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Harnessing WebAssembly for Real-time Stateless Streaming PipelinesChristina Lin
Traditionally, dealing with real-time data pipelines has involved significant overhead, even for straightforward tasks like data transformation or masking. However, in this talk, we’ll venture into the dynamic realm of WebAssembly (WASM) and discover how it can revolutionize the creation of stateless streaming pipelines within a Kafka (Redpanda) broker. These pipelines are adept at managing low-latency, high-data-volume scenarios.
NO1 Uk best vashikaran specialist in delhi vashikaran baba near me online vas...Amil Baba Dawood bangali
Contact with Dawood Bhai Just call on +92322-6382012 and we'll help you. We'll solve all your problems within 12 to 24 hours and with 101% guarantee and with astrology systematic. If you want to take any personal or professional advice then also you can call us on +92322-6382012 , ONLINE LOVE PROBLEM & Other all types of Daily Life Problem's.Then CALL or WHATSAPP us on +92322-6382012 and Get all these problems solutions here by Amil Baba DAWOOD BANGALI
#vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore#blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #blackmagicforlove #blackmagicformarriage #aamilbaba #kalajadu #kalailam #taweez #wazifaexpert #jadumantar #vashikaranspecialist #astrologer #palmistry #amliyaat #taweez #manpasandshadi #horoscope #spiritual #lovelife #lovespell #marriagespell#aamilbabainpakistan #amilbabainkarachi #powerfullblackmagicspell #kalajadumantarspecialist #realamilbaba #AmilbabainPakistan #astrologerincanada #astrologerindubai #lovespellsmaster #kalajaduspecialist #lovespellsthatwork #aamilbabainlahore #Amilbabainuk #amilbabainspain #amilbabaindubai #Amilbabainnorway #amilbabainkrachi #amilbabainlahore #amilbabaingujranwalan #amilbabainislamabad
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
2. $$Bug_Bounty$$
#whoami
• Sagar M Parmar
• Active #$> Synack Red Team
• <3 $$ Bug Bounties.
• Working as a Security Analyst at Network Intelligence India Pvt. Lt
• Chapter Leader of OWASP_Jodhpur
• Email: sagar.parmar@owasp.org
• Follow> https://twitter.com/sagarparmar121
sagar.parmar@owasp.org
3. $$> Bug Bounty <$$
• What is Bug Bounty?
• I am new, how should I start?
• How should I take It forward?
• How should I become Pro?
• What I should do when I am Pro?
sagar.parmar@owasp.org
4. • What is bug bounty?
Also calls as VRP (Vulnerability Reward Program)
• Company (Security Team/Vendor)
Improve Security, Business Grow,
Create Program.
Offer Cash , HOF , Swag.
Acknowledge Your Work.
• Researchers / Bug Hunter
Hit Target and Get Bugs.
Sometimes Duplicates , Sometime $$$ , Sometime Swag,
Sometime HOF, Sometime Only Thanks :P
Recheck Bug After Fix.
sagar.parmar@owasp.org
5. • A Brief History of Bug Bounty Programs.
sagar.parmar@owasp.org
Google ~ 30k USD
Facebook ~ 40k USD
Yahoo ~ 15k USD
PayPal, GitHub, AT&T, Twitter, Square,
Mozilla, Microsoft etc.
Well-known Platform,
- 2012
- 2013
- 2013
7. sagar.parmar@owasp.org
I am new, how should I start?
Dont’s
Do’s
Learn about your target.
Pick any company.
Learn about it thoroughly.
Its services.
All subdomains
All mobile applications.
Monitor any changes.
Read Program rules carefully.
Expect learning something new.
Give respect to
Breakers
Defenders
Decisions
I want money, I don’t care about your policy.
But, that X company gives money for this.
I will hack you to the death.
F**k the repeater, I love Burp Scanner, Acunitix.
I love cookies & session related bugs and version
disclosure.
SQLmap is good only when risk=3
8. sagar.parmar@owasp.org
Have Some <Patience>
• Duplicate
• Wait for response time
• Forget about submission.
• Learn and find new Bugs
• Find New target.
• Go as deep as possible (Chain attack)
• NEVER Ever run a Scanner.
• Do Manual testing.
9. sagar.parmar@owasp.org
Tips
• Make a list for all type of vulnerability
• Make a database for all type of targets. Like:
php, asp, WordPress, apache, angulers.
• Make a list for all public exploit.
• Do fuzzing
• Create Google Alerts for page change in list
of bounty programs OR any other thing of
your choice.
15. sagar.parmar@owasp.org
Bug Bounty Report Format
Vulnerability Reporting
------------------------------
Vulnerability Name :
Vulnerability Description & Impact :
Vulnerable URL :
Vulnerable Parameter :
Payload Used :
Steps to Reproduce :
How to Fix (Recommandation) :
Proof of Concept(Screenshot) :
Or
Video POC
18. sagar.parmar@owasp.org
But I want more money..
• Look out for less exposed areas of site.
• Injection Attacks _ every one doing it.
• Authorization issues are hard to find, less
duplicate.
• Privilege escalations on a least exposed
entity in the site have good chances of
hitting a good bug.
19. sagar.parmar@owasp.org
Much More Money…
• Make a checklist of test cases.
• Divide it in two parts.
• Normal bugs
• Everyone knows about them.
• Abnormal bugs.
• You / Someone else found this.
• Only active researchers know about them.
20. `
sagar.parmar@owasp.org
Hell lot of money…
• Find more logical bugs.
• ~ More mone
• ~ Less Dupes
• ~ More reputation
• Read blogs. Voila! What a bug! I will test this too.
• OMG! I tested this app too. Why I missed?
• Be aware of every damn new test case to hit a bug.
• One NEW + UNIQUE + CRITICAL bug to rule them all.
22. sagar.parmar@owasp.org
XSS (Cross Site Scripting)
Cross site script a type of attack attacker can injection malicious script in web application
whether these script many type like java, xml, html. By this attacker can get so many things
like cookies stealing, change content, phishing and many things.
Payload:
“><script>alert(1)</script>
/*is this blocked? try other payload and check the behaviour of WAF*/
“><img src=x onerror=alert(1)>
“><svg/onload=alert(1)>
<a href=javascript:alert(1)>helloxss
Also try other event handlers like:
(onabort, onactivate, onafterprint, onafterupdate, onbeforeactivate, onbeforecopy,
onbeforecut, onbeforedeactivate, onbeforeeditfocus, onbeforepaste, onbeforeprint,
onbeforeunload, onbeforeupdate, onblur… many more…)
Payload: Test” onfocus=alert(1) autofocus=“
24. sagar.parmar@owasp.org
SQLi(Structed Query Language Injection)
What: SQL injection is type of attack in which attacker passes some malicious query
and exploit the backend (get) database information.
What vulnerability. : Authentication bypass is vulnerability.
Type: 3 types of SQL Injection: (1) union based, 2) error based 3) blind SQL injection.
How To Check For SQL Injection?
1.Check any User Input with quotes(single ‘ or double “ or / ) if it breaks the SQL Query or
not.
2.If some content is missing or an error is there then do further testing
3.Balance the SQL Query by using quotes and SQL Comments like (#,-- -)
4.Find The Number of Columns Used in table of the Running Query
Eg: username=admin’order by 1-- - loads normally
username=admin’order by 2-- - loads normally
username=admin’order by 3-- - Gives Error/Content Missing
Which means There are only 2 columns
25. sagar.parmar@owasp.org
SQLi
5. Create/Join another row using Union clause
Eg. Username=admin’ union select 1,2-- -// will create another row
6. False the Query by using some Boolean logic like :
Eg. Username=admin’ and 1=2 union select 1,2-- -// will create another row
This will make the Column(s) To be shown in the Page
7.Now You can Extract The information by using SQL Queries in the visible column
26. sagar.parmar@owasp.org
SSRF (Server Side Request Forgery)
• Server Side Request Forgery (SSRF) is a vulnerability that appears when an attacker
has the ability to create requests from the vulnerable server.
• Usually, Server Side Request Forgery (SSRF) attacks target internal systems behind the
firewall that are normally inaccessible from the outside world (but using SSRF it’s
possible to access these systems).
• With SSRF it’s also possible to access services from the same server that is
listening on the loopback interface.
How to Look for SSRF?
1.Check For Different Requests where some parameters contains some URL To External/
Internal hostname/IP.
2.We could try putting our own IP/hostname in that parameter and Simply Check your Server
Logs.
3.If there is a Request in logs from their IP then You need to Look for internal services.
4.You can do various stuffs like Port scanning, Fingerprinting Services and also use their Server
As a proxy to attack others.
5.You Can Enter http://localhost:port to check for services or if its blocked then you could use
127.0.0.1 or also you could use IPv6 localhost : http://[::]:port
27. sagar.parmar@owasp.org
LFI (Local File Inclusion)
Local File Inclusion (also known as LFI) is the process of including files, that are already locally
present on the server, through the exploiting of vulnerable inclusion procedures
implemented in the application. This vulnerability occurs, for example, when a page receives,
as input, the path to the file that has to be included and this input is not properly sanitized,
allowing directory traversal characters (such as dot-dot-slash) to be injected. Although most
examples point to vulnerable PHP scripts, we should keep in mind that it is also common in
other technologies such as JSP, ASP and others.
How To Check for Inclusion Vulnerabilities?
1.Check For parameters where you feel there’s another file included
Eg: http://www.site.com/?page=somepage
http://www.site.com/?file=somepage.php
2. Use file:// protocol or Directory Traversal techniques to read files like :
Eg: http://www.site.com/?page=../../../../../../etc/passwd #for *nix
http://www.site.com/?page=C:/Windows/System32/drivers/etc/hosts #for Windows
3. Also you could use file:///etc/passwd or file://c://windows/system32/drivers/etc/hosts
4. For PHP specific applications you could use php://filter wrapper to read files too.
5. It Could be used to Escalate to RCE in some cases where you are able to include external files
Or use data: wrapper(Remote File Inclusion)
28. sagar.parmar@owasp.org
Remote Code Execution (RCE)
Remote Code Execution can be defined as In computer security, arbitrary code execution or
remote code execution is used to describe an attacker's ability to execute any commands of the
attacker's choice on a target machine or in a target process.
It happens When a user input is unvalidated and directly used in Command line arguments or in
Eval-ish like functions.
How to Check For RCE?
1.Fuzz Every possible parameters/User Inputs for Command Execution.
2.Vulnerabilites like RCEs are found much more when source code is there.
3.Functionalities like “pinging”, “dns” lookups should be tested well for RCE.
4.Various Ways for testing command execution:
1. Pipes(|) or ||(double pipes) eg: ||ls
2. Ampersand (&) or double Ampersand(&&) eg. & dir
3. $(ls) /* For *nix only
4. (Backticks) `ls` /* For *nix only */
5. May be some switches/options could be used related to Running commands
29. sagar.parmar@owasp.org
How should I become PRO?
• Follow Top Researchers
• Read blogs
• Read about vulnerability
• Create your own logics
• Follow twitter
30. sagar.parmar@owasp.org
Reference Links or researcher blogs
XSS & Sqli:> http://securityidiots.com
http://www.pwntester.com
https://www.hackerone.com/resources/hack-learn-earn
www.geekboy.ninja
https://blog.bugcrowd.com/topic/bug-hunter-tips-and-
tricks
Publiclydisclosed hackerone
All top Researcher blogs and twitter account.